Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH
CommonSpirit Ransomware Breach Affects About 624,000 So Far
Leaked Data Includes Names, Addresses and BirthdatesThe ransomware hacking incident at CommonSpirit affected the data of at least approximately 624,000 individuals, the hospital chain told federal regulators.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The second-largest nonprofit hospital chain in the United States has slowly dribbled out information about the ransomware attack it first detected in early October (see: Patients Affected by Cybersecurity Event at Hospital Chain).
A Monday update to the Department of Health and Human Services' HIPAA Breach Reporting Tool is the first data-driven indicator of the incident's scope. The hacking incident involving a network server affected 623,774 individuals, the hospital chain says.
Among the information compromised were names, addresses, phone numbers, birthdates, and a unique ID used only internally by the organization.
CommonSpirit says it is reviewing additional files potentially affected by the ransomware incident, meaning the total number of affected individuals could increase. So far, CommonSpirit has not issued breach notifications for any other entities affected by the ransomware incident.
Individuals known to be affected include patients who received services from any of seven hospitals in Washington state that are collectively part of Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit, as well as those patients' family members or caregivers.
The affected Virginia Mason Franciscan Health entities include St. Michael Medical Center, St. Anne Hospital, St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital and St. Joseph Hospital (see: CommonSpirit: Patients' Data Breached in Ransomware Attack).
As of publication, there is no report posted on the HHS OCR data breach website regarding Des Moines, Iowa-based hospital MercyOne, which was also affected by the CommonSpirit ransomware incident. MercyOne was previously jointly owned by CommonSpirit and Michigan-based Trinity Health before being acquired by Trinity Health this year.
MercyOne still uses CommonSpirit's IT systems, and the Iowa-based entity's electronic health records access and other application functionality were affected for several weeks following the ransomware incident.